Thursday, July 16, 2009

Podcast: Crypto-Gram 15 January 2009:

These tricks work because we all regularly interact with people we don't know. No one could successfully impersonate your brother...

It's human nature to trust these credentials. Impersonation is even easier over limited communications channels.

A lot of identity verification happens with computers. Computers are fast at computation but not very good at judgment, and can be tricked.

Good authentication systems also balance false positives against false negatives. Impersonation is just one way these systems can fail; they can also fail to authenticate the real person. Decentralized authentication systems work better than centralized ones.

Any good authentication system uses defense in depth. Since no authentication system is perfect, there need to be other security measures in place if authentication fails.

* Forging SSL Certificates

We already knew that MD5 is a broken hash function. Now researchers have successfully forged MD5-signed certificates.

This isn't a big deal.

Making cryptanalytic attacks used to break real-world security systems is often much harder than cryptographers think.

But SSL doesn't provide much in the way of security, so breaking it doesn't harm security very much. Pretty much no one ever verifies SSL certificates, so there's not much attack value in being able to forge them. And even more generally, the major risks to data on the Internet are at the endpoints -- Trojans and rootkits on users' computers, attacks against databases and servers, etc -- and not in the network.

This comment by Ted Dziuba is far too true: "If you're like me and every other user on the planet, you don't give a sh*t when an SSL certificate doesn't validate. Unfortunately, commons-httpclient was written by some pedantic f*cknozzles who have never tried to fetch real-world webpages."

I'm not losing a whole lot of sleep because of these attacks. No one should be using MD5 anymore.

* Biometrics

Biometrics may seem new, but they're the oldest form of identification.

What is new about biometrics is that computers are now doing the recognizing: thumbprints, retinal scans, voiceprints, and typing patterns. There's a lot of technology involved here, in trying to both limit the number of false positives (someone else being mistakenly recognized as you) and false negatives (you being mistakenly not recognized).

Biometrics can vastly improve security, especially when paired with another form of authentication such as passwords. But it's important to understand their limitations as well as their strengths. On the strength side, biometrics are hard to forge. It's hard to affix a fake fingerprint to your finger or make your retina look like someone else's. Some people can mimic voices, and make-up artists can change people's faces, but these are specialized skills.

On the other hand, biometrics are easy to steal. You leave your fingerprints everywhere you touch, your iris scan everywhere you look. And a stolen biometric can fool some systems.

The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system.

One more problem with biometrics: they don't fail well. Passwords can be changed, but if someone copies your thumbprint, you're out of luck: you can't update your thumb. Passwords can be backed up, but if you alter your thumbprint in an accident, you're stuck.